Best iOS Reverse Engineering Tools

Basically, you need to reverse engineer an app or a feature when you do not have source code, but still need to know how it works. If it sounds a bit suspicious to you, here are some all-legal business situations when reversing comes at hand:

Researching and fixing complicated software issues

Improvement of the interaction between a software system and the platform

Advanced software system compatibility with third-party solutions

Research of various types of malware.

Thus, being a rather complicated practice, iOS reverse engineering is very interesting and useful for a broad range of tasks. A large set of tools is available to help with this process.

Architectures

First, a couple of words about the internal architectures as it dictates tools selection and general reversing approaches.

iOS mobile devices are built using armv7, armv7s and arm64 CPUs. The corresponding reversing algorithms require researcher to be familiar with the instruction sets, calling conventions, and some things specific for arm (such as thumb mode or opcodes format)

As for the cache, system frameworks and dylibs are merged into a single file called shared cache, which can be found at /System/Library/Caches/com.apple.dyld/.

lldb. Quite feature rich default debugger in Xcode. It can be a useful C++, Objective-C and C code reverse engineering tool supporting debugging of the corresponding code on the desktop and iOS devices and simulators. It is based on the larger LLVM project re-using libraries such as its dissembler and others. See details: https://lldb.llvm.org/;

Besides standard tools for reverse engineering provided by the vendor, there are several very useful third-party utilities:

IDA (Interactive DisAssembler). It is probably the most wide-known and popular disassembler. Being almost a reversing standard for complex tasks, this system should be mentioned among the best iOS reverse engineering software products. Get details here: https://www.hex-rays.com/products/ida;

dsc_extractor – This tool can be used to extract libs and frameworks from dyld_shared_cache. When extracting, it saves locations and original names of all object that being extracted. It is provided by Apple as an open source software

IDA

IDA provides an ultimate feature set for an effective reverse engineering

As stated on the official website: “IDA is a Windows, Linux or Mac OS X hosted multi-processor disassembler and debugger that offers so many features it is hard to describe them all.”

In general, IDA has too many great features that it would require a separate large article to cover them all.

Hopper

Hopper is the macOS / iOS oriented disassembler. It is designed for macOS and Linux.

Using Hopper you can also perform reversing of any macOS / iOS binaries.

Some of Hoppers benefits:

oriented to work with objective-C: specialized on retrieving obj-C specific information from the binary

uses lldb or gdb as debugger

most functions can be accessed from the python scripts

displaying assembly, pseudocode CFG (Control flow graph) at the same time. That makes reversing more effective

support of Swift names

customizations: create own types, semantic coloration, user comments

All of the listed above makes reversing iOS applications with Hopper more effectively and comfortable.

Using Tools to Reverse Engineer

The simplest reverse engineering task is to research ipa or app executable. The executable itself can be easily obtained: no problem at all for an app, and for an ipa, which is a zip archive, it can be found in the Payload/*.app subdirectory. Then any reversing tool from the list above can be used to work on this executable.

The more complicated task is to reverse engineer a part of iOS. It usually requires a jailbroken device, but even without it, you can try to get the file using the Document Interaction functionality.

If you cannot get an executable from the device, you can try the iOS simulator. The fact is that the simulator is based on the x86 architecture and thus its code differs from the one on a real iOS device. Nevertheless, daemons and frameworks interfaces correspond to those on iOS devices.

Reversing kernel extensions (.kext)

Sometimes it’s necessary to perform reversing on kernel extensions (also known as drivers on Windows). macOS kernel extensions are simple folders with .kext extension. They have bundle-like structure. The target file for reversing is the file with the same .kext name, located in /Contents/MacOS subfolder.

Reversing of kernel extensions is the same as reversing usual application. But be warned that majority of kexts are written partially with C++.

Conclusion

The process of reverse engineering on a closed platform like iOS can require significant time and efforts as well as a set of specific skills. Nevertheless, there are a set of iOS reverse engineering tools and approaches developed to facilitate this task.

About Dennis Turpitka

Dennis Turpitka, CEO of the Apriorit, is an expert within Digital Security solution business design and development, Virtualization and Cloud Computing R&amp;D projects, establishment and management of Software Research direction. Successful entrepreneur, who organized several security start-ups.